ADVISORIES

• CVE-2018-1000855 (NVD)
• GHSA-c289-47qf-rvrr
• Vendor Advisory

GEM

easymon

SEVERITY

CVSS v3.x: 6.1 (Medium)

PATCHED VERSIONS

• >= 1.4.1

DESCRIPTION

When passing an invalid check name as parameter to the endpoint where the easymon routes are mounted, a 406 response with a body that contains the invalid check name unescaped is returned. Malicious JavaScript can be injected into that invalid name and have it executed in Firefox

RELATED

• https://github.com/basecamp/easymon/pull/25